This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
AWS Shared Responsibility model
Security and Compliance is a
shared
responsibility

The AWS Shared Responsibility security model
AWS is responsible for the security and compliance of the cloud, or the infrastructure that runs all of the services offered in the AWS Cloud. Cloud security at AWS is the highest priority. AWS customers benefit from a data center and network architecture that are built to meet the requirements of the most security-sensitive organizations and compliance frameworks. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. This includes controls that maintain separation between customer resources and data, along with numerous other administrative, compliance, and security-related controls.
Customers are responsible for the security and compliance in the cloud, or the customer-configured systems and services provisioned on AWS. The customer assumes responsibility and management of the guest operating system (including updates and security patches) and other associated application software, as well as the configuration of the AWS-provided security group firewall. This includes, but is not limited to, the following, as the customer’s responsibility will depend on the services used, the integration of those services into their IT environment, and applicable laws and regulations:
-
Customers are responsible for the compliant configuration of all system components, to include AWS resources and services, included in or connected to their cardholder data environments (CDE).
-
Customers are responsible for the operating systems and installed applications on Amazon Elastic Compute Cloud
(Amazon EC2), and network routing and configuration of associated virtual networking components.